(b) the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;

(c) a description of the personal information that is the subject of the breach to the extent that the information is known;

(d) a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;

(e) a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and

(f) contact information that the affected individual can use to obtain further information about the breach.

Marginal note:Direct notification — form and manner

4 For the purposes of subsection 10.1(5) of the Act, direct notification must be given to the affected individual in person, by telephone, mail, email or any other form of communication that a reasonable person would consider appropriate in the circumstances.

Marginal note:Indirect notification — circumstances

5(1) For the purposes of subsection 10.1(5) of the Act, indirect notification must be given by an organization in any of the following circumstances:

(a) direct notification would be likely to cause further harm to the affected individual;

(b) direct notification would be likely to cause undue hardship for the organization; or

(c) the organization does not have contact information for the affected individual.

Marginal note:Indirect notification — form and manner

(2) For the purposes of subsection 10.1(5) of the Act, indirect notification must be given by public communication or similar measure that could reasonably be expected to reach the affected individuals.

Record-keeping

Marginal note:Record-keeping requirements

6(1) For the purposes of subsection 10.3(1) of the Act, an organization must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred.

Marginal note:Compliance

(2) The record referred to in subsection 10.3(1) of the Act must contain any information that enables the Commissioner to verify compliance with subsections 10.1(1) and (3) of the Act.

Coming into Force

Marginal note:S.C. 2015, c. 32

Footnote *7 These Regulations come into force on the day on which section 10 of the Digital Privacy Act comes into force, but if they are registered after that day, they come into force on the day on which they are registered.